anyone know of a good set of ASP database tutorials?
also does anyone know of a password area script, so that the user when logged in can see some pages where as someone higher up e.g. admin can see all the pages.
thanks in advance
scroots

oracleguy

07-30-2002, 06:41 AM

I can partially answer your question. For the password area scripting. One way that I have found most effective is to have an access number i.e. 2 for a user and store it in a database. Then when the login make a session variable equal that number.

So then for pages level 2 users and above can access you'd add this at the top of the pages:

<%If Session("Level")>2 then Response.Redirect("Login.asp")%>

So then if someone doesn't have a high enough access level it redirects them.

Am I making sense?

scroots

07-30-2002, 06:12 PM

you are making a litle sense, i`m new to the stuff.
could i not just have a database and IF statements e.g. if user value =2 then access to level to.
doing it your way, how would i make the session variable equal a number.

If NOT rs.EOF Then
Session("AccessLevel") = rs("AccessLevel")
Else
Session("AccessLevel") = 0
End If

Can you explain me how the code works?

phill_ridout

07-01-2007, 10:07 PM

use an MD5 encryption alogarithm to encrypt the password before it is stored in the database. Because you cant decrypt MD5 to check the login pass work you have to encrypt it using the alogarithm. i have an include file which you can use that you just pass a var to in a function call

Daemonspyre

07-02-2007, 05:47 PM

Here's the explanation that you are looking for:

Once you make your DSN-less database connection, then you submit a query to the Access database.

My issues with the query are that is you don't do some pre-Query validation and character replacements, you are vulnerable to SQL Injection and database hacking.

That query asks the database for the AccessLevel you are searching for in your original post. It then stores that data in a Session variable, allowing you to access it for the entire time that a user is logged in.

If you don't have any permissions in your record, or your user doesn't have a record in the database ( rs.EOF = Recordset.EndOfField), it sets that session variable to '0'. This is so they have no access to your system (or read-only if you so prefer).